The 'target' was Target

One well-documented example of poor human behaviour leading to an organisational breach is the 2013 Target data breach. Here’s how it unfolded:

The Breach

In 2013, the retailer Target Corporation suffered a massive data breach that exposed the credit card information of 40 million customers and personal information of 70 million customers. The root cause of the breach can be traced to human error, inadequate supply chain vetting and poor cybersecurity practices.

Poor human behaviour

Attackers gained access to Target’s network by phishing an employee at an HVAC subcontractor, Fazio Mechanical Services, which worked with Target.

An employee at Fazio clicked on a malicious email attachment, giving attackers access to their credentials.

Inadequate supply chain security policy

Fazio was granted access to Target’s network for remote monitoring of its systems, but it lacked robust cybersecurity measures like multifactor authentication or network segmentation.

Target’s policies failed to enforce stricter controls on vendor access.

Failure to act on alerts

Once the attackers gained access, they moved laterally within Target’s network and installed malware on point-of-sale (POS) systems.

Target’s IT team received alerts from their FireEye security software about suspicious activity but failed to act promptly, largely due to poor decision-making and ineffective communication.

Consequences

• Financial costs. Target incurred losses exceeding $200 million in settlements, legal fees, and operational impacts.
• Reputational damage. The breach eroded customer trust and negatively affected sales during a crucial holiday shopping season.
• Stricter regulations. The breach highlighted the importance of vendor management and spurred stronger cybersecurity compliance measures across industries.

This example shows how human error, poor cybersecurity practices, and failure to respond to warnings can contribute to catastrophic organisational breaches.